Re: Running developers as standard users in Vista with UAC enabled
- From: "John Sitka" <johnsitka@xxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Oct 2008 15:39:47 -0400
Hmm, seems reasonable.
Got any tips for the original poster.
All .NET based line-of-business application developers should run as standard user, otherwise they'll end up writing the usual
kind of rubbish programs we see that won't run properly without admin rights.
yikes I've never written one of those. Plenty of rubbish but none that require admin.
But with an impending Vista rollout should I be worried?
Any suggestions on how to solve?
Logging into the local machine == no Sharepoint + no VSS shares + no Internet access
that's a harsh way to spend a day. Sneakernet revisted, hope I can still get refills for the Dayrunner.
"Gerry Hickman" <gerry666uk2@xxxxxxxxxxxxxxxx> wrote in message news:%23l%23wctrNJHA.1488@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I don't agree.
All .NET based line-of-business application developers should run as standard user, otherwise they'll end up writing the usual
kind of rubbish programs we see that won't run properly without admin rights. This is a key reason for lazy and badly written
programs where they end up using HKLM instead of HKCU and don't make use of user policies and profiles.
If they're not already doing this, they'll get some nasty surprises when their target platform is Vista and above.
If they need to install software, write a driver or register a COM class, they can be given a local Admin account.
The key point is that their domain account should NEVER be placed in the Local Administrators group. The two things should be
completely separate.
John Sitka wrote:
I have been given the task of researching Vista and UAC and the feasibility
of running developers in an enterprise as standard users (not admins) without
That's kind of a strange task, unless you are looking at keeping your developers from installing ITunes or something
of that nature. But most developers install local programs, that's their job. Local Administrator / Domain user is what you want.
Developers are never Domain Admins (yes I understand one person could be asked to do both jobs)
put the Developer domain user (plain old user) accounts in their own AD OU,
Build appropriate domain groups for developers to be members of,
Wide open development shared Network resources such as development SQL servers and VSS shares get those groups.
Production network resources get other groups as required and more limited.
Put the developers in their local machine Administrators group.
Have the developers build against the full IIS Server on Vista, not that automated devenvironment IIS engine.
or against their own dedicated shared development webserver.
Have them run their development IDE's (VS etc.) as administrators(right click).
"Jan Hyde (VB MVP)" <StellaDrinker@xxxxxxxxxxxxxxxxxxx> wrote in message news:kjho94pfes1mneva6vnu79o9enu732gk3d@xxxxxxxxxx
Jeff Killberg <JeffKillberg@xxxxxxxxxxxxxxxxxxxxxxxxx>'s
wild thoughts were released on Thu, 7 Aug 2008 09:12:01
-0700 bearing the following fruit:
I am at a loss as to where to post this question, so I'll start here.It doesn't make sense. Developers are going to have a hard
I have been given the task of researching Vista and UAC and the feasibility
of running developers in an enterprise as standard users (not admins) without
an additional set of administrator credentials to elevate to. In other words,
if they get blocked by anything in UAC they would not have the ability to
elevate themselves. Need to change something in HKLM? Nope. Wanna edit an ini
file under \Windows? Nope. Etc.
if not impossible time without admin rights.
Firstly, why have them as standard users if you are going to
furnish them with the admin password? It seems pointless no?
I'm an admin user although I run under UAC so in effect
anything I run has standard priveleges. I set my Visual
Studio to run 'as admin' so that it runs under admin rights.
No problems at all.
My definition of developers would include developers coding for WindowsLet them have admin rights or your going to make thier work
using a tool like Visual Studio, as well as developers coding web apps using
a mix of tools such as VS, eclipse, Rational Software Architect, etc. These
developers will also have to deal with things like installation scripts,
configuration of software installations, etc.
Research I have found thus far has determined that this will be problematic
as you cannot (easily) define all of the 'exceptions' that a developer might
need to deal with on a regular basis and configure around these exceptions
such that the developer doesn't need to elevate. I would agree with this
assessment.
Anyone else have experience/examples in dealing with this? I am trying to
gather enough information/evidence to make a solid decision either way, and
would be curious as to other's findings.
very very difficult.
--
Jan Hyde (VB MVP)
https://mvp.support.microsoft.com/profile/Jan.Hyde
--
Gerry Hickman (London UK)
.
- Follow-Ups:
- Re: Running developers as standard users in Vista with UAC enabled
- From: Gerry Hickman
- Re: Running developers as standard users in Vista with UAC enabled
- References:
- Re: Running developers as standard users in Vista with UAC enabled
- From: Gerry Hickman
- Re: Running developers as standard users in Vista with UAC enabled
- Prev by Date: How to loop through <configSections> elements?
- Next by Date: Re: Console App in one EXE file
- Previous by thread: Re: Running developers as standard users in Vista with UAC enabled
- Next by thread: Re: Running developers as standard users in Vista with UAC enabled
- Index(es):
Relevant Pages
|
